Cloud Computing Demands Cloud Data Encryption

Enterprises that have adopted the cloud are finding that while cloud computing confers very real benefits, it also creates significant security challenges, which traditional network and perimeter security measures are inadequate to address. Organizations must protect their data, rather than their infrastructure, if they use the cloud at all. Cloud data encryption is the answer.

Government spying isn't enterprises' only concern, of course. As more and more sensitive data—much of it protected by data privacy regulations like HIPAA, HITECH, GLBA, and PCI DSS—makes its way into the cloud, the threats of data theft and inadvertent data leakage loom ever larger. Data breaches and compliance violations are serious business. Penalties can hit seven figures, and mandatory breach disclosures can deal catastrophic damage to organization's reputations.

Traditionally, enterprises have sought to secure their data from theft and leakage by locking it down behind a corporate perimeter, keeping it under the enterprise's control and rendering it less vulnerable to access by third parties. These days, however, many companies are finding the on-premises model untenable. Data is proliferating thanks to technology movements like Big Data and the Internet of Things. Meanwhile, mobility and BYOD demand anytime, anywhere access to applications and data. Supporting all these initiatives in-house would cost more than many organizations are willing—or able—to invest, making the cloud an attractive alternative.

But with cloud computing comes a loss of control. When your data's housed on a third party's servers, how confident can you be that it's safe? And even if your cloud service providers make good on their promises of cloud encryption, who's to say they won't turn your data over to government agencies without your knowledge or consent? What about all the copies of your data being made, moved, and backed up as part of your cloud service providers' everyday operations?

For these reasons, 2014 looks set to be the year of encryption, as Enterprise Networking Planet contributor Paul Rubens wrote for BBC.com. Cloud data encryption solves many of the control challenges that enterprises face in the cloud. Even if cloud service providers are infiltrated or compelled to disclose data, for example, whatever is encrypted will remain unreadable to unauthorized viewers as long as enterprises retain control of their encryption keys. Additionally, placing the focus on the data rather than on infrastructure helps ensure that data will remain safe even if hardware vulnerabilities are exploited.

Provider-side cloud encryption

One common cloud data encryption solution involves service providers encrypting customers' data. That's the approach that major cloud service providers like Microsoft, Google, and Yahoo are taking. To help other cloud hosts and service providers offer encryption services, EMC last week announced its choice of the AFORE Solutions CloudLink SecureVSA to anchor its Encryption as a Service (EaaS) offering. EMC touts EaaS as a way for cloud hosts and cloud service providers to "offer their customers simple to deploy, pay-as-you-go data encryption," according to an AFORE statement.

What may make EaaS particularly attractive, both to the cloud service providers that offer it and the enterprises looking to adopt it, is its flexibility. CloudLink supports both VMware vSphere and Microsoft Hyper-V; runs in private, hybrid, and public cloud environments; and requires no additional hardware to deploy. It provides strong AES 256-bit encryption for data in rest and motion and, perhaps most critically, includes options for customers to manage their own encryption keys, ensuring the continued protection of their data even in the event of a breach. Service providers looking to beef up their security offerings and assuage their customers' security concerns may find it a useful tool. So might customers hoping to streamline their cloud encryption efforts.

Client-side cloud data encryption

On the other hand, for enterprises who've adopted any of a number of popular public cloud services like Salesforce, Box, Dropbox, or Google, client-side cloud data encryption may be the way to go. A number of cloud encryption gateways exist to enable enterprises to detect and encrypt sensitive data at the moment it leaves the corporate perimeter. These solutions require an infrastructure investment but can provide peace of mind for enterprises unwilling to trust cloud service providers' encryption promises.

Among vendors offering cloud encryption gateways, CipherCloud stands out with the robustness of its offering. CipherCloud's cloud data encryption solution comes pre-integrated with a number of popular public cloud services and boasts easy integration with any other cloud service the customer chooses. The vendor claims this helps ensure that encrypted data remains searchable, sortable, and reportable—in other worlds, functional—in the cloud. A number of different encryption and tokenization options and granular control of their application to different data types helps enterprises maintain control over their data protection, as does enterprise-exclusive encryption key access and management. And data discovery and DLP tools enable customers to gain visibility and control of all their protected cloud data and the activity around it.

The future of cloud data security is cloud encryption

A consensus is growing among IT security experts that security must focus on the data itself, as the closing keynote panel at InfoSecurity Europe 2014 demonstrated. That's nowhere as apparent as in the cloud, especially now that enterprises are moving more and more production workloads and sensitive data offsite. "As they do so, regulatory compliance and corporate security policy dictate that sensitive data must be encrypted in the cloud," Mike Byrnes, director of product marketing at AFORE, told me.

"Encryption is a vital component of a strong security posture for any size organization, and it should be a standard offering within the cloud," Chris Cicotte, EMC CISSP VCP cloud architect/SP specialist, said. He added, "The threat landscape has already begun to evolve, and from an overall security perspective, we need to take a proactive approach by layering in technologies like encryption at every layer."